Enforcing RFID data visibility restrictions using XACML security policies

Radio Frequency Identification (RFID) technology allows automatic data capture from tagged objects moving in a supply chain. This data can be very useful if it is used to answer traceability queries, however it is distributed across many different repositories, owned by different companies. Discovery Services (DS) are designed to assist in retrieving the RFID data relevant for traceability queries while enforcing sharing policies that are defined and required by participating companies to prevent sensitive data from being exposed. In this paper we define an interface for Supply Chain Authorization (SC-Az) and describe the implementation of two visibility restriction mechanisms based on Access Control Lists (ACLs) and Capabilities. Both approaches were converted to the standard eXtensible Access Control Markup Language (XACML) and their correctness and performance was evaluated for supply chains with increasing size

Datensicherheit trotz transparenter Güterströme: Datensicherheit trotz transparenter Güterströme: Kooperative Zugriffskontrolle für den Lieferketten-übergreifenden Einsatz automatisch erfasster Produktdaten

Die firmenübergreifende Datenintegration automatisch erfasster, produktbezogener Ereignisse ermöglicht eine verbesserte Sicht auf logistische Prozesse. Unternehmen möchten die dazu notwendige Weitergabe von durch sie erfassten Ereignissen jedoch attributgenau kontrollieren können. Da durch die Verkettung von Ereignissen aus mehreren Quellen Lieferbeziehungen zwischen Firmen ermittelt werden können, kann die Herausgabe von Ereignissen durch eine Firma die Sicherheitsanforderungen anderer Firmen verletzen. Ausgehend von einer Problemanalyse stellt dieser Beitrag ein Zugriffskontrollsystem vor, das solche externen Sicherheitsanforderungen in den Zugriffskontrollprozess einbeziehen kann. Es unterstützt die regelbasierte Delegation der Entscheidungsgewalt an Partnerunternehmen und die Kombination mehrerer Entscheidungen.The cross-company integration of automatically recorded product- related events enables an improved view of logistic processes. The individual companies, however, often strive to control the necessary information dissemination at attribute granularity. As the linking of events from different sources may permit business relationships between companies to be inferred, the dissemination of data acquired locally by one company might well violate the security requirements of other companies. Based on a problem analysis, this paper introduces an access control system which is able to accommodate such external security requirements. The system supports both rulebased delegation of the right to decide on access requests and combinations of multiple decisions

RFID IN REVERSE LOGISTICS RESEARCH FRAMEWORK AND ROADMAP

Reverse logistics is constantly gaining in importance for both research and practice. Research on RFID has so far concentrated on the use of RFID in order to support forward logistics processes, but is beginning to realize the specific potentials and benefits of RFID systems in this evolving research area. IS research has so far addressed individual and rather isolated aspects of this topic. In order to promote this evolving field of RFID research, we present a structuring framework and propose a roadmap for future research

Auto-ID enabled tracking and tracing data sharing over dynamic B2B and B2G relationships

RFID 2011 collocated with the 2011 IEEE MTT-S International Microwave Workshop Series on Millimeter Wave Integration Technologies (IMWS 2011)Growing complexity and uncertainty are still the key challenges enterprises are facing in managing and re-engineering their existing supply chains. To tackle these challenges, they are continuing innovating management practices and piloting emerging technologies for achieving supply chain visibility, agility, adaptability and security. Nowadays, subcontracting has already become a common practice in modern logistics industry through partnership establishment between the involved stakeholders for delivering consignments from a consignor to a consignee. Companies involved in international supply chain are piloting various supply chain security and integrity initiatives promoted by customs to establish trusted business-to-customs partnership for facilitating global trade and cutting out avoidable supply chain costs and delays due to governmental regulations compliance and unnecessary customs inspection. While existing Auto-ID enabled tracking and tracing solutions are promising for implementing these practices, they provide few efficient privacy protection mechanisms for stakeholders involved in the international supply chain to communicate logistics data over dynamic business-to-business and business-government relationships. A unified privacy protection mechanism is proposed in this work to fill in this gap. © 2011 IEEE.published_or_final_versio

The impact of perceived privacy risks on organizations' willingness to share item-level event data acrossthesupply chain

When information is available about the path, on which individual items move through the real world, many beneficial applications can be designed. The necessary data can be generated through attaching identifiers to items and deploying suitable readers all over the supply chain that capture the information on the identifiers. Organizations only have access to data about item movements within their organizational boundaries. Therefore sharing of data between organizations is required to gain full visibility. However, the willingness of organizations to share data is considered to be low. In this paper we present the results of a study that aimed at investigating the actual willingness of companies to share item-level data and at exploring the perceived privacy risks that may restrain companies from sharing item-level data. From the findings, requirements for the design of inter-organizational data sharing infrastructures are derive

An access control model for mobile physical objects

Access to distributed databases containing tuples collected about mobile physical objects requires information about the objects ’ trajectories. Existing access control models can-not encode this information efficiently. This poses a policy management problem to administrators in real-world supply chains where companies want to protect their goods track-ing data. In this paper we propose a new access control model as an extension to attribute-based access control that allows trajectory-based visibility policies. We prove the se-curity properties of our novel authentication protocol for distributed systems that can supply the decision algorithm with the necessary reliable information using only standard passive RFID tags. As a result companies will be able to improve confidentiality protection and governance of their object tracking data and more trustingly engage in data sharing agreements

IDEAS-1997-2021-Final-Programs

This document records the final program for each of the 26 meetings of the International Database and Engineering Application Symposium from 1997 through 2021. These meetings were organized in various locations on three continents. Most of the papers published during these years are in the digital libraries of IEEE(1997-2007) or ACM(2008-2021)